Nltest is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkID=177813). To use nltest, you must run the nltest command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

Test trust relationships and the state of domain controller replication in a Windows domain

Force a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers

Nltest can test and reset the secure channel that the NetLogon service establishes between clients and the domain controller that logs them on. Clients using Kerberos authentication cannot use this secure channel.

A discrete communication channel, known as the secure channel, exists between trusted domains in a Windows NT 4.0 environment and parent domains and their immediate children in an Active Directory environment. In a Windows NT 4.0 environment, nltest uses these channels to authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication.

Nltest provides diagnostic features that you can use for troubleshooting Windows Server 2008 operating system configurations. However, because nltest is designed primarily for system administrators and support personnel, its output may be difficult to analyze. In this case, you can review the appropriate troubleshooting sections in the Windows Deployment and Resource Kits. Search for any of the keywords from the bulleted list in the nltest description above.

Reports on the state of the secure channel the last time you used it. (The secure channel is the one that the NetLogon service established.)

/repl

Forces synchronization with the primary domain controller (PDC). Nltest synchronizes only changes that are not yet replicated to the backup domain controller (BDC). You can use this parameter for Windows NT 4.0 BDCs only, not for Active Directory replication. You must have administrative credentials to use this parameter.

/sync

Forces an immediate synchronization with the PDC of the entire Security Accounts Manager (SAM) database. You can use this parameter for Windows NT 4.0 BDCs only, not for Active Directory replication. You must have administrative credentials to use this parameter.

/pdc_repl

Forces the PDC to send a synchronization notification to all BDCs. You can use this parameter for Windows NT 4.0 PDCs only, not for Active Directory replication. You must have administrative credentials to use this parameter.

/sc_query: <DomainName>

Reports on the state of the secure channel the last time that you used it. (The secure channel is the one that the NetLogon service established.) This parameter lists the name of the domain controller that you queried on the secure channel, also.

/sc_reset:[ <DomainName>]

Removes, and then rebuilds, the secure channel that the NetLogon service established. You must have administrative credentials to use this parameter.

/sc_verify:[ <DomainName>]

Checks the status of the secure channel that the NetLogon service established. If the secure channel does not work, this parameter removes the existing channel, and then builds a new one. You must have administrative credentials to use this parameter. This parameter is only valid on domain controllers that run Windows 2000 with Service Pack 2 and later.

/sc_change_pwd:[ <DomainName>]

Changes the password for the trust account of a domain that you specify. If you run nltest on a domain controller, and an explicit trust relationship exists, then nltest resets the password for the interdomain trust account. Otherwise, nltest changes the computer account password for the domain that you specify. You can use this parameter only for computers that are running Windows 2000 and later.

/dclist:[ <DomainName>]

Lists all domain controllers in the domain. In a Windows NT 4.0 domain environment, this parameter uses the Browser service to retrieve the list of domains. In an Active Directory environment, this command first queries Active Directory for a list of domain controllers. If this query is unsuccessful, nltest then uses the Browser service.

/dcname:[ <DomainName>]

Lists the primary domain controller or the PDC emulator for DomainName.

/dsgetdc:[ <DomainName>]

Queries the Domain Name System (DNS) server for a list of domain controllers and their corresponding IP addresses. This parameter also contacts each domain controller to check for connectivity.

The following list shows the values that you can use to filter the list of domain controllers or specify alternate names types in the syntax.

/PDC: Returns only the PDC (Windows NT 4.0) or domain controller that you designate as the PDC emulator (Windows 2000 and later).

/DS: Returns only those domain controllers that are Windows 2000 and later.

/DSP: Returns only Windows 2000 and later domain controllers. If the query finds no such server, then this value returns Windows NT 4.0 domain controllers.

/GC: Returns only those domain controllers that you designate as global catalog servers.

/KDC: Returns only those domain controllers that you designate as Kerberos key distribution centers.

/TIMESERV: Returns only those domain controllers that you designate as time servers.

/GTTIMESERV: Returns only those domain controllers that you designate as master time servers.

/WS:

/NetBIOS: Specifies computer names in the syntax as NetBIOS names. If you do not specify a return format, the domain controller can return either NetBIOS or DNS format.

/DNS: Specifies computer names in the syntax as fully qualified domain names (FQDNs). If you do not specify a return format, the domain controller can return either NetBIOS or DNS format.

/IP: Returns only domain controllers that have IP addresses. This value returns only domain controllers that use TCP/IP as their protocol stacks.

/FORCE: Forces the computer to run the command against the DNS server instead of looking in the cache for the information.

/Writable: Requires that the returned domain controller be writable; that is, host a writable copy of the directory service, for Windows 2000 and later DCs, or of SAM (for DCs in operating systems prior to Windows 2000). A DC in an operating system prior to Windows 2000 is writable only if it is a primary domain controller. All Windows 2000 domain controllers are writable

/Avoidself: When called from a domain controller, specifies that the returned domain controller name should not be the current computer. If the current computer is not a domain controller, this flag is ignored. This flag can be used to obtain the name of another domain controller in the domain.

/LDAPOnly: Specifies that the server returned is an LDAP server. The server returned is not necessarily a domain controller. No other services are implied to be present at the server. The server returned does not necessarily have a writable config container nor a writable schema container. The server returned may not necessarily be used to create or modify security principles. This flag may be used with the DS_GC_SERVER_REQUIRED flag to return an LDAP server that also hosts a global catalog server. The returned global catalog server is not necessarily a domain controller. No other services are implied to be present at the server. If this flag is specified, the DS_PDC_REQUIRED, DS_TIMESERV_REQUIRED, DS_GOOD_TIMESERV_PREFERRED, DS_DIRECTORY_SERVICES_PREFERED, DS_DIRECTORY_SERVICES_REQUIRED, and DS_KDC_REQUIRED flags are ignored.

/Backg: If the DS_FORCE_REDISCOVERY flag is not specified, this function uses cached domain controller data. If the cached data is more than 15 minutes old, the cache is refreshed by pinging the domain controller. If this flag is specified, this refresh is avoided even if the cached data is expired. This flag should be used if the DsGetDcName function is called periodically.

/DS_6: Requires that the returned domain controller be running Windows Server 2008 or later.

/DS_8: Requires that the returned domain controller be running Windows Server 2012 or later.

/Try_Next_Closest_Site: When this flag is specified, DsGetDcName attempts to find a domain controller in the same site as the caller. If no such domain controller is found, it will find a domain controller that can provide topology information and call DsBindToISTG to obtain a bind handle, then call DsQuerySitesByCost over UDP to determine the "next closest site," and finally cache the name of the site found. If no domain controller is found in that site, then DsGetDcName falls back on the default method of locating a domain controller.

If this flag is used in conjunction with a non-NULL value in the input parameter SiteName, then ERROR_INVALID_FLAGS is thrown. Also, the kind of search employed with DS_TRY_NEXT_CLOSEST_SITE is site-specific, so this flag is ignored if it is used in conjunction with DS_PDC_REQUIRED. Finally, DS_TRY_NEXTCLOSEST_SITE is ignored when used in conjunction with DS_RETURN_FLAT_NAME because that uses NetBIOS to resolve the name, but the domain of the domain controller found won't necessarily match the domain to which the client is joined.

Note

This flag is Group Policy enabled. If you enable the "Try Next Closest Site" policy setting, Next Closest Site DC Location will be turned on for the machine across all available but un-configured network adapters. If you disable the policy setting, Next Closest Site DC Location will not be used by default for the machine across all available but un-configured network adapters. However, if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly, DsGetDcName honors the Next Closest Site behavior. If you do not configure this policy setting, Next Closest Site DC Location will be not be used by default for the machine across all available but un-configured network adapters. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used.

/Ret_DNS: Specifies that the names returned in the DomainControllerName and DomainName members of DomainControllerInfo should be DNS names. If a DNS name is not available, an error is returned. This switch cannot be specified with the /Ret_NETBIOS switch. This flag implies the DS_IP_REQUIRED flag.

/Ret_NETBIOS: Specifies that the names returned in the DomainControllerName and DomainName members of DomainControllerInfo should be flat names. If a flat name is not available, an error is returned. This switch cannot be specified with the /Ret_DNS switch.

/dnsgetdc: <DomainName>

Queries the DNS server for a list of domain controllers and their corresponding IP addresses.

The following list shows the values that you can use to filter the list of domain controllers.

/PDC: Returns only those domain controllers that are PDCs (Windows NT 4.0) or designated as PDC emulators.

/GC: Returns only those domain controllers that you designate as global catalogs.

/KDC: Returns only those domain controllers that you designate as Kerberos key distribution centers.

/WRITABLE: Returns only those domain controllers that can accept changes to the directory database. This value returns all Active Directory domain controllers, but not Windows NT 4.0 BDCs.

/LDAPONLY: Returns servers that are running a Lightweight Directory Access Protocol (LDAP) application. The servers can include LDAP servers that are not domain controllers.

/FORCE: Forces the computer to run the command against the DNS server instead of looking in cache for the information.

/SITESitename: Sorts the returned records to list first the records that pertain to the site that you specify.

/SITESPEC: Filters the returned records to display only those records that pertain to the site that you specify. This operation can only be used with the /SITE parameter.

/dsgetfti: <DomainName>[ /UpdateTDO]

Returns information about interforest trusts. You use this parameter only for a Windows Server 2008 domain controller that is in the root of the forest. If no interforest trusts exist, this parameter returns an error.

The /UpdateTDO value updates the locally stored information on the interforest trust.

/dsgetsite

Returns the name of the site in which the domain controller resides.

/dsgetsitecov

Returns the name of the site that the domain controller covers. A domain controller can cover a site that has no local domain controller of its own.

/parentdomain

Returns the name of the parent domain of the server.

/dsregdns

Refreshes the registration of all DNS records that are specific to a domain controller that you specify.

/dsderegdns: <DnsHostName>

Deregisters DNS host records for the host that you specify in the DnsHostName parameter.

The following list shows the values that you can use to specify which records nltest deregisters.

/DOM: Specifies a DNS domain name for the host to use when you search for records on the DNS server. If you do not specify this value, nltest uses the DNS domain name as the suffix of the DnsHostName parameter.

/DSAGUID: Deletes Directory System Agent (DSA) records that are based on a GUID.

DOMGUID: Deletes DNS records that are based on a globally unique identifier (GUID).

/whowill: <Domain>/ <User>

Finds the domain controller that has the user account that you specify. You can use this parameter to determine whether nltest has replicated the account information to other domain controllers.

/finduser: <User>

Finds the directly-trusted domain that the user account that you specify belongs to. You can use this parameter to troubleshoot logon issues of older client operating systems.

/transport_notify

Flushes the negative cache to force the discovery of a domain controller. You can use this parameter for Windows NT 4.0 domain controllers only. This operation is done automatically when clients log on to Windows 2000 and Windows Server 2003 domain controllers.

/dbflag: <HexadecimalFlags>

Sets a new debug flag. For most purposes, use 0x2000FFFF as the value for HexadecimalFlags. The entry in the Windows Server 2003 registry for debug flags is HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\DBFlag.

/user: <UserName>

Displays many of the attributes that you maintain in the SAM account database for the user that you specify. You cannot use this parameter for user accounts that are stored in an Active Directory database.

/time: <HexadecimalLSL> <HexadecimalMSL>

Converts Windows NT Greenwich Mean Time (GMT) time to ASCII. HexadecimalLSL is a hexadecimal value for least significant longword. HexadecimalMSL is a hexadecimal value for most significant longword.

/logon_query

Queries the cumulative number of NTLM logon attempts at a console or over a network.

The following list shows the values that you can use to filter the list of domains.

/Primary: Returns only the domain to which the computer account belongs.

/Forest: Returns only those domains that are in the same forest as the primary domain.

/Direct_Out: Returns only the domains that are explicitly trusted with the primary domain.

/Direct_In: Returns only the domains that explicitly trust the primary domain.

/All_Trusts: Returns all trusted domains.

/v: Displays verbose output, including any domain SIDs and GUIDs that are available.

/dsquerydns

Queries for the status of the last update for all DNS records that are specific to a domain controller that you specify.

/bdc_query: <DomainName>

Queries for a list of BDCs in DomainName, and then displays their state of synchronization and replication status. You can use this parameter only for Windows NT 4.0 domain controllers.

/sim_sync: <DomainName> <ServerName>

Simulates full synchronization replication. This is a useful parameter for test environments.

/list_deltas: <FileName>

Displays the contents of the FileName change log file, which lists changes to the user account database. Netlogon.chg is the default name for this log file, which resides only on Windows NT 4.0 BDCs.

/cdigest: <Message> /domain: <DomainName>

Displays the current digest that the client uses for the secure channel. (The digest is the calculation that nltest derives from the password.) This parameter displays the digest that is based on the previous password, also. Nltest uses the secure channel for logons between client computers and a domain controller, or for directory service replication between domain controllers. You can use this parameter in conjunction with the /sdigest parameter to check the synchronization of trust account passwords.

/sdigest: <Message> /rid: <RID_In_Hexadecimal>

Displays the current digest that the server uses for the secure channel. (The digest is the calculation that nltest derives from the password.) This parameter displays the digest for the previous password, also. If the digest from the server matches the digest from the client, then nltest synchronizes the passwords that it uses for the secure channel. If the digests do not match, then nltest might not have replicated the password change yet.

/shutdown: <Reason>[ <Seconds>]

Remotely shuts down the server that you specify in ServerName. You use a string to specify the reason for the shutdown in the Reason value., and you use an integer to specify the amount of time before the shutdown occurs in the Seconds value. For a complete description, see the Platform SDK documentation for InitiateSystemShutdown.

The DNS_DC and DNS_DOMAIN flags indicate the format of the information returned in the request (as opposed to a flag like GC or TIMESERV, which tell you something about the domain controller returning the information). Specifically, the presence of them indicates the returned domain controller name and domain name, respectively, were in DNS format. The absence of them indicates the returned domain controller name and domain name were in NetBIOS format.

Example 4: Determine the PDC emulator for a domain

The following example identifies the domain controller that Windows NT 4.0–based computers see as the PDC emulator for a domain.